> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Unrestricted PostgreSQL Access Should Not Be Allowed

### More Info:

No security group should allow unrestricted inbound access to TCP port 5432 (PostgreSQL Database).

### Risk Level

Medium

### Address

Security

### Compliance Standards

SOC2, GDPR, HITRUST, AWSWAF, NISTCSF, PCIDSS, FedRAMP

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the unrestricted PostgreSQL access issue in AWS, you can follow the below steps:

        1. Go to the AWS Management Console and navigate to the RDS dashboard.
        2. Select the RDS instance that has unrestricted PostgreSQL access.
        3. Click on the "Modify" button.
        4. In the "Network & Security" section, select the "Additional Configuration" tab.
        5. Under "Security Group Rules," locate the rule that allows unrestricted PostgreSQL access.
        6. Remove the rule by clicking on the "x" icon next to it.
        7. Add a new rule that allows access only from trusted sources.
        8. Click on the "Save Changes" button.

        By following these steps, you can remediate the unrestricted PostgreSQL access issue in AWS and ensure that your PostgreSQL database is only accessible from trusted sources.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate unrestricted PostgreSQL access in AWS, you can follow these steps using AWS CLI:

        1. Open the AWS CLI and run the following command to get the security group ID of the security group associated with the PostgreSQL instance:

           ```
           aws rds describe-db-instances --query 'DBInstances[*].VpcSecurityGroups[*].VpcSecurityGroupId' --output text
           ```

        2. Run the following command to get the ID of the security group:

           ```
           aws ec2 describe-security-groups --filters Name=group-id,Values=<security-group-ID> --query 'SecurityGroups[*].{Name:GroupName,ID:GroupId}' --output table
           ```

        3. Run the following command to revoke the unrestricted access to PostgreSQL:

           ```
           aws ec2 revoke-security-group-ingress --group-id <security-group-ID> --protocol tcp --port 5432 --cidr 0.0.0.0/0
           ```

           This command will revoke the inbound rule that allows unrestricted access to PostgreSQL.

        4. Run the following command to verify that the unrestricted access has been revoked:

           ```
           aws ec2 describe-security-groups --filters Name=group-id,Values=<security-group-ID> --query 'SecurityGroups[*].IpPermissions'
           ```

           This command will show the current inbound rules for the security group. You should see that the rule allowing unrestricted access to PostgreSQL has been removed.

        By following these steps, you have successfully remediated the unrestricted PostgreSQL access in AWS.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the unrestricted PostgreSQL access issue in AWS, you can use Python to create a security group that allows access to the PostgreSQL instance only from a specific IP address or range of IP addresses. Here are the steps to do so:

        1. First, you need to create a new security group that will be used to restrict access to the PostgreSQL instance. You can do this using the `boto3` library in Python. Here's an example code snippet that creates a new security group:

        ```python theme={null}
        import boto3

        ec2 = boto3.resource('ec2')

        # Create a new security group
        security_group = ec2.create_security_group(
            GroupName='PostgreSQLAccess',
            Description='Restrict access to PostgreSQL instance'
        )

        # Add a rule to allow access to the PostgreSQL port (5432) from a specific IP address
        security_group.authorize_ingress(
            IpPermissions=[
                {
                    'IpProtocol': 'tcp',
                    'FromPort': 5432,
                    'ToPort': 5432,
                    'IpRanges': [
                        {
                            'CidrIp': 'x.x.x.x/32' # Replace x.x.x.x with the specific IP address you want to allow access from
                        }
                    ]
                }
            ]
        )
        ```

        2. Once you've created the new security group, you need to assign it to the PostgreSQL instance. You can do this using the `modify_db_instance` method from the `boto3` library. Here's an example code snippet that assigns the new security group to the PostgreSQL instance:

        ```python theme={null}
        import boto3

        rds = boto3.client('rds')

        # Modify the PostgreSQL instance to use the new security group
        response = rds.modify_db_instance(
            DBInstanceIdentifier='your-instance-id', # Replace with your PostgreSQL instance ID
            VpcSecurityGroupIds=[
                security_group.id
            ]
        )
        ```

        3. Finally, you can verify that the access to the PostgreSQL instance has been restricted by checking the security group rules associated with the instance. You can do this using the `describe_db_instances` method from the `boto3` library. Here's an example code snippet that checks the security group rules:

        ```python theme={null}
        import boto3

        rds = boto3.client('rds')

        # Get the PostgreSQL instance details
        response = rds.describe_db_instances(
            DBInstanceIdentifier='your-instance-id' # Replace with your PostgreSQL instance ID
        )

        # Get the security group IDs associated with the instance
        security_group_ids = response['DBInstances'][0]['VpcSecurityGroups']

        # Print the security group rules associated with each security group
        for security_group_id in security_group_ids:
            response = ec2.describe_security_groups(
                GroupIds=[
                    security_group_id['VpcSecurityGroupId']
                ]
            )
            print(response['SecurityGroups'][0]['IpPermissions'])
        ```

        This code will print the security group rules associated with each security group, which should show that access to the PostgreSQL port (5432) is only allowed from the specific IP address or range of IP addresses that you specified in the security group rule.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/vpc/latest/userguide/VPC\_SecurityGroups.html#AddRemoveRules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules)
